## Description ### Summary Enable on-demand generation of credentials with automatic expiration and revocation. Dynamic secrets eliminate the risk of credential sprawl and provide just-in-time access to resources. ### Problem Statement Current implementation only supports static KV secrets: - Secrets never change automatically - No credential generation capability - No lease management or automatic revocation - Manual rotation required for all secrets ### Proposal Implement a dynamic secrets engine system with pluggable backends: ```mermaid sequenceDiagram participant App as Application participant SM as Secrets Manager participant Target as Target System App->>SM: Request dynamic secret SM->>Target: Generate credential Target-->>SM: Credential created SM-->>App: Return credentials + lease_id + TTL Note over SM,Target: On lease expiry SM->>Target: Auto-revoke credential ``` ### Key Deliverables 1. **Secrets Engine Framework** - Pluggable engine architecture - Lease management system - Automatic revocation on expiry 2. **Database Engines** - PostgreSQL dynamic credentials - MySQL dynamic credentials - MongoDB dynamic credentials 3. **Cloud Provider Engines** - AWS IAM/STS credentials - GCP Service Account keys - Azure Service Principal 4. **Lease Management** - Track active leases - Lease renewal API - Manual revocation - Grace period handling ### User Stories | ID | Story | Points | |----|-------|--------| | US-2.1 | Configure database secrets engine | 8 | | US-2.2 | Request dynamic database credentials | 5 | | US-2.3 | Configure AWS secrets engine | 8 | | US-2.4 | Request AWS STS credentials | 5 | | US-2.5 | View active leases | 5 | | US-2.6 | Manually revoke lease | 3 | | US-2.7 | Renew lease | 5 | | US-2.8 | Configure lease policies | 5 | | US-2.9 | GCP secrets engine | 8 | | US-2.10 | Azure secrets engine | 8 | | US-2.11 | CI/CD dynamic secrets | 13 | **Total Story Points:** ~79 ### Technical Requirements - New models: `DynamicSecretsEngine`, `DynamicSecretLease`, `DynamicSecretsRole` - Background workers for lease expiry - Secure connection config storage (encrypted) ### Non-Functional Requirements | Category | Requirement | |----------|-------------| | Performance | Credential generation < 5s, Lease operations < 500ms | | Scalability | 10K concurrent leases, 1K leases/minute | | Security | Encrypted configs, audit logging, minimal privilege | | Reliability | 99.9% generation success, graceful degradation | ### Effort Estimate - **Duration:** 4-5 months + ongoing integrations - **Team:** 4 engineers (3 BE, 1 DevOps)